This article was published in partnership with Cowbell.
Data privacy is a growing national concern, with everyone from the federal government to SMEs to individual employees concerned about how, where and why data is collected, stored and accessed. And in today’s digitized world there’s little room for error.
Evolving data privacy regulations are shaping the way businesses really approach compliance this year. Speaking to IB, Matthieu Chan Tsin (pictured), SVP of resiliency services at Cowbell, says it’s complicated - with regulatory changes driven by several factors including advancements in technology, increasing public awareness, as well as growing recognition both by users and regulators of the importance of data protection.
“In the US, there are state level privacy laws,” he said. “There’s also been a federal refocusing on data security as a national security matter, as highlighted by the Department of Data Security Program that went into effect in April 2025. This means there’s been an increased scrutiny of AI technologies and, on top of that, a global push for more stringent data protection measures.”
But here’s where it gets especially complex. According to Chan Tsin none of these regulations are aligned. That means when it comes to what businesses need to do, and what the key trends and challenges are, the landscape is disjointed. Combined with rapidly advancing technologies like AI, whose impact on privacy is not yet fully understood, and a lack of cross-border coordination, it’s extremely difficult to determine the optimal level of data protection.
“Governments and industries are studying ways to regulate AI and its uses; but AI is moving very quickly,” added Chan Tsin. “Essentially, governments and industries are trying to regulate a technology that’s a quickly moving target whose impact is not yet fully understood.”
The challenge becomes: how do businesses innovate and grow while ensuring they meet shifting privacy requirements?
“That's the key challenge; at the user level, the regulator level, at the lawmaker level. It’s full of opportunities, full of challenges and headaches – it’s a moving target, but it's also exciting because we're in the middle of it,” added Chan Tsin.
This is where the power of cyber insurance comes in. Historically, cyber insurance is a relatively new product. Twenty years ago, no one was talking about it. Ten years ago, the concept took shape. Just five years ago, the market truly emerged.
“So we’re essentially just emerging from our toddler stage here,” added Chan Tsin. “Especially when you compare cyber to other arms of insurance, coverage that was created to protect ships back in the days of the British Empire. Nowadays, cyber insurance providers have been playing a great role in shaping data privacy landscape – they’ve established de facto soft regulations that aren’t tied to government laws or regulations, but rather to the own to the insurers on risk appetite. And this approach has effectively created a market driven regulatory framework and landscape for data privacy during the underwriting process.”
At Cowbell, Chan Tsin explains that they often mandate the implementation of specific best practices and security solutions by linking these measures to incentives such as lower premiums, higher coverage limits, or even eligibility for insurance.
“Providers [of cyber insurance coverage] have created incentives for businesses to adopt better cybersecurity practices— to protect their network and, by extension, to protect the data that they store,” said Chan Tsin. “This hasn’t just educated businesses about potential risks and mitigation strategies; it’s also raised the overall standard of cybersecurity and data protection across industries.”
Cyber insurers have become accidental catalysts for change, encouraging better data privacy practices and more robust security measures. According to Chan Tsin, this strategy has proven effective in strengthening overall cybersecurity postures and reducing the risk of data breaches and other privacy incidents.
Strong data compliance doesn’t just make good business sense - it also plays a vital role in establishing trust and enhancing brand reputation.
As Chan Tsin explains, Cowbell focuses on SMEs rather than multinational firms, which offers a more unique insight into how good data practice leads to increased customer and employee loyalty.
“In our specific case, brand reputation is not necessarily associated with TV commercials or any large-scale marketing efforts, but rather with word of mouth,” he told IB. “[We deal with] the close-knit circles of smaller industries where our policyholders are working – so while strong data privacy compliance definitely fulfils legal requirements, it also builds trust and fosters positive brand image.”
As Chan Tsin explained, companies that have those all-important SOC 2 and NIST badges should be displaying these online too. That way, customers and clients will immediately identify that this firm is both legally compliant and trustworthy.
“It allows businesses to show their internal commitment to protect personal information and transparency - and that's especially important today in an era of supply chain attacks. A business not only creates an image of taking responsibility for their data compliance, for their level of cybersecurity, but they’re also expressing that they’re a trusted partner and the sort of business that should be considered.”
As Chan Tsin explained, it all ties back to creating a culture that’s legally compliant, wholly transparent and trustworthy – all of which are necessities in a world were cybercrime is the norm.
“Privacy and security are no longer IT problems,” added Chan Tsin. “It’s no longer a cyber issue. It’s no longer a top line, bottom line, middle line item. It is a business behaviour item.”
In today’s high-risk digital environment, Chan Tsin argues that true security goes far beyond ticking regulatory boxes – that all company interaction with any external parties should be viewed as a potential risk to valuable assets.
“These interactions can appear in person, on the phone, online, through automated systems, through API sharing. Regulatory compliance is ongoing and does not also guarantee that actors won't be able to strike or that data leaked or shared by mistakes. Regulations are attempting to address the most common attack vectors. Privacy and security are the responsibility of every employee. It's not an IT focus. It's not a legal focus. It's not a sales focus. Everybody, starting with company executives... must understand that business data and security is an individual responsibility.”
To build a culture of privacy, organizations must embed security into every level. For Chan Tsin, that means comprehensive policies and procedures, employee awareness and training programs and above all, leadership commitment.
“Compliance is no longer a task just for legal teams,” added Chan Tsin. “It's become a team sport.”
